In this article:
Integrate SecurityScorecard with the Splunk security information and event management (SEIM) tool, so that you can use Scorecard data in the Splunk platform and enhance security and risk insights.
The integration leverages three major data components from SecurityScorecard platform:
- SecurityScorecard’s overall letter-grade security ratings, which enable you to quickly and easily understand the cybersecurity posture of an organization
- SecurityScorecard’s underlying factor data in key risk categories, including Application Security, Malware, Patching Cadence, Network Security, Hacker Chatter, Social Engineering, and Passwords Exposed. Each of these factors is predictive. For example, organizations with a C, D, or F rating in Social Engineering are more than 400 percent more likely to experience a data breach than those with an A or B rating.
- SecurityScorecard issue-related data, which offers a breadth and depth of critical data points across more than 80 different issue types not available from any other security ratings provider.
You can choose to monitor your own Scorecard, third-party scorecards or both. Once installed, the add-on pulls scores and issue-level event information on a daily basis and logs them to Splunk.
You can leverage the power of Splunk to search, visualize, create alerts and take action, so you can efficiently monitor your own cybersecurity risk as well as the risk posed by your third parties.
Set up the integration
Create a bot user with an API token
Note: If you do not have administrative permissions in SecurityScorecard, ask an administrator to create the user and API token for you.
- In SecurityScorecard, click your profile avatar and select My Settings.
- On the Users tab under Admin Settings, click Add User.
- Make the new user a bot so that it will not expire. This prevents a scenario where human users attempt to refresh an expired API token, causing the integration to stop working.
- Click Add.
- Name the bot user and make sure it has read-only access. Then click Add.
- Click Create token for the new bot user.
- Copy the API token and click Done.
Install the SecurityScorecard components
The SecurityScorecard integration includes two components:
- An add-on, which is responsible for connecting SecurityScorecard data to Splunk.
- An app is a collection of dashboards that enhance the usability of that data.
- In Splunk, select Find More Apps on the main page.
- Search for SecurityScorecard and install both the add-on and the app.
Configure the add-on
Configure the add-on first because it brings data in from SecurityScorecard.
- Select the add-on from the dropdown menu under Apps on the top menu.
- Select the Configuration tab.
- Click Add to create a new set of credentials.
- Enter your API token in the following dialog.
- Go to the tab titled Inputs.
- Select Create New Input to bring up a configuration dialog.
- Provide information in the configuration fields, including the following:
- Name - Create a unique name for this configuration set.
- Interval - Select often data should be pulled in seconds. The default setting is 86400 seconds, because SecurityScorecard generates new data once a day.
- Index - Indicate the index to log SecurityScorecard data to.
- Your Domain - Enter your organization’s domain name for self-monitoring.
- Global Account - Enter the account configured in the preceding steps.
- SecurityScorecard API URL - Enter the URL, typically https://api.securityscorecard.io/.
- Portfolios - If you want to monitor third party companies, enter n a comma-separated list of portfolio IDs from SecurityScorecard. Enter all to collect from all monitored organizations.
Tip: You can copy a portfolio ID from the address bar when viewing a portfolio in the SecurityScorecard platform.
- Click Add.
Configure the App
- Select the app from the top menu.
- Click Continue to app setup page.
- Select your organization’s domain from the drop-down list and click Save.
Start using the integration
Once configured, the integration automatically pulls data daily from SecurityScorecard.
Use the following dashboards:
- My Scorecard displays the top-level score and grade, score trend, factor scores, and issues for your domain.
- Vendor Scores is a summary of scores for all vendors included in the configured portfolios. It shows the top-level grade and score for each company, as well as their factor information. It also shows issues that exist for each vendor. Filter this by portfolio, company and industry.
- Active Issues shows a summary of active issues within the specified timeframe, one table of issue types by factor, and another by severity. Filter this table by portfolio, company, factor, and industry.
- Vendor Issues is a set of dashboards that display issues for each vendor. Filter the information by relevance. These dashboards include common vulnerability enumerations (CVEs) and ransomware as topics.
- Spotlight shows the 10 companies with the lowest scores, and the 10 most critical issues. It also shows a summary of issues that are most common. Filter this dashboard by company, portfolio, factor, and industry.
For all of these dashboards, you can select columns and generate searches. In some cases, if you select a table or row, the app links to SecurityScorecard to provide more information.
If you need help or have questions about the integration, contact the Splunk support team.